Ken wrote:
Hi Ken
Hi Erwin,
I do not have a problem but am interested in how others handle this.
"Should I destroy all session variables and the session cookie after I am
finished with them?"
No.
But I don't understand why you worry about the user that reloads the page.
Here is how I approach it, and I don't run into your question.
Hope this helps to clarify the issue. :-)
If you decide 'you are finished with the session', that is probably because
your visitor decides to log out or something like that.
If your visitor log out, you send him to a page (logout.php or something)
which contains some code that clearly ends the session.
If you are polite you also say to your visitor: "Your session ended, hope to
see you again soon!" or something like that.
If he reloads that page, he'll just get the same message.
suppose you stored in the session if somebody logged in correctly using some
username/password:
$_SESSION["authenticated"] = "Y";
and you check on all php-pages where authentication is needed for the
existence and correct value of $_SESSION["authenticated"].
if ($_SESSION["authenticated"] != "Y") {
// go away!
header("Location: loginhere.php");
exit;
}
OK?
Then in logout.php you only have to delete all sessionvariables by the
simple command:
$_SESSION = array();
which sets the session to an empty array, so no $_SESSION["authenticated"]
will exist.
This will not destroy the session, but will empty it, making it useless to
come back to pages that require $_SESSION["authenticated"] == "Y"
If you wonder what happens to the file after the session ends, that is
decribed in php.ini. I gave you the relavant entries in my last posting.
(session.gc_probability = 1 and the like, that detirmine when PHP decides
to do a session-garbage-collection round by checking all the sessionfiles)
But you don't have to worry about that, because the php executable will take
care of that. You can however use it to finetune the behaviour of heavily
visited sites.
To summarize:
1) Make sure you start a session with your visitor. (by cookie or
URL-rewriting)
2) store in the session all relevant data. (like if the visitor has rights
for this or that page)
3) When the user logs out: empty the session.
4) Make sure you check the session for the correct values of the visitor on
all pages where extra rights are needed.
Hope that helps!
Regards,
Erwin Moller